Conor Fitzpatrick (Pompompurin) and the Fate of BreachForums: Three Years in Prison for the Hacking Forum Founder

Conor Fitzpatrick, known by his alias "Pompompurin" and founder of the prominent hacking forum BreachForums, will serve a three-year prison sentence after a review of his case. Fitzpatrick was convicted on charges related to operating BreachForums and possession of child sexual abuse material (CSAM).

The BreachForums forum amassed a massive database exceeding 14 billion records and 330,000 members, having defied numerous attempts by law enforcement to shut it down. Currently, the forum is inactive, with its founders and prominent cybercrime groups such as Lapsus$ and Scattered Spider opting to "disappear" from the digital scene.

Arrest of Conor Fitzpatrick and the Charges Against Him

In March 2023, Fitzpatrick was arrested for his role in operating BreachForums. The charges against him included conspiracy to commit access device fraud, aiding and abetting such fraud, and possession of child sexual abuse material. Fitzpatrick pleaded guilty to all three charges in January 2024.

What are Fraudulent Access Devices?

According to U.S. federal law, "access devices" are broadly defined to include any instrument or information that allows a person to obtain money, goods, services, or anything else of value. This includes physical cards such as credit and debit cards, as well as digital or electronic information used for similar purposes.

Fraud involving access devices, as stipulated in 18 U.S.C. § 1029, includes activities such as the deliberate production of counterfeit access devices, trafficking in them, or possessing them with fraudulent intent. It also encompasses conducting fraudulent transactions using an access device issued to another person with the intent to illegally obtain payments or anything else. Legal Information Institute.

Review of the New Sentence

An initial sentence was issued against Fitzpatrick, stipulating only 17 days in prison, followed by 20 years of supervised release. However, prosecutors deemed this sentence overly lenient given the seriousness of his crimes and filed an appeal. The U.S. Court of Appeals for the Fourth Circuit granted the appeal, affirming that "the brief 17-day sentence did not achieve the desired goals of punishment, and was therefore deemed substantively unreasonable."

Consequently, the previous sentence was overturned and Fitzpatrick was re-sentenced, receiving a new judgment of three years in federal prison. U.S. Attorney for the Eastern District of Virginia, Eric S. Siebert, affirmed that Conor Fitzpatrick "personally profited from the trafficking of vast quantities of stolen information, which included sensitive personal data and critical commercial information."

History and Scale of BreachForums

BreachForums launched in March 2022, replacing the previously dismantled RaidForums, which was a similar online marketplace for stolen data breach that police had shut down. According to The Hacker News report, BreachForums reached its peak with approximately 330,000 members and contained over 14 billion individual data records.

Leadership Changes and Failed Attempts to Shut Down BreachForums

Despite repeated attempts by the police to shut down the forum, it consistently reappeared. In 2023, "Baphomet," who took over managing the forum after Fitzpatrick's arrest, was apprehended, leading to the transfer of BreachForums' administration to the ShinyHunters group, one of the most dangerous cybercrime groups known for its involvement in recent major data breaches.

The Disappearance of BreachForums and Prominent Cybercrime Groups

Currently, BreachForums is unavailable online, and its operators have indicated their desire to "disappear." Recent weeks have also seen the disappearance of other prominent cybercrime groups such as Lapsus$ and Scattered Spider.